Newsletter
In This Issue
The Value of Data
Financial Reform is Here
Managing Service Providers for PCI DSS Compliance
ProPay Announces ProtectPay OVT
ProPay Introduces Mobile Processing Solutions
Upcoming ProPay Events
Quick Links
 
 
 
 
ProPay White Papers
 
 
 
 
 
Join Our Mailing List!
Greetings!

In the payment processing world, it is easy to focus on the security of customer account information and the protection of that data against data theives.  But data can also be a good thing for businesses.  In fact, certain types of data can be used to identify suspicious transactions. ProPay's risk team offers some insight on how data can be used by merchants to help identify suspect transactions.
 
Also, the Durbin Amendment has been on the minds of many merchants for the past several months.  We'll provide an update on the progress of the amendment and what that means to merchants across the country.

At ProPay we've been busy enhancing our products and adding new features.  We have two new features to announce, ProtectPay OVT and Propay Mobile, and are proud to provide readers with more information on them in this issue. 
 
Lastly, we'd like to encourage everyone to visit the ProPay Blog, where you can receive frequent updates on industry happenings, trends in technology and in data breaches, legal and risk issues and more.  You can visit the Blog by following this link.

As always, feel free to forward this newsletter to anyone that might be interested. 
 
 
Sincerely,
 
 
The ProPay Team
newsletter@propay.com
888-227-9856
The Value of Data
by Drew Petersen, AVP Risk Management

In the arena of risk and fraud prevention in the payment card industry, data is the proverbial Aegis shield.  Data is the best defense a merchant has against chargebacks and losses, and because of the more anonymous nature of the Internet, is especially vital for an e-commerce merchant.  It is imperative a merchant understands and gathers as much customer and transactional data as possible in order to create an accurate picture of each and every customer the merchant deals with.  While more data is better, merchants should not store highly sensitive data elements like full card numbers or card verification values (CVV2, CVC2, etc.).
Data can, and should, be used to help merchants understand where their customers are coming from, and should be used to establish trends, payment card processing patterns or other identifiable behaviors.  Fraud is often discovered in customers or transactions that lie outside of a merchant's standard processing variations.  For example, the merchant could ask itself: 
  • Is the size or volume of one or many transactions outside of standard processing patterns? 
  • Are the transactions coming in at unusual times?   
  •  Do the transactions involve international cards but request domestic shipment?   
  • Are excessive transactions coming from one IP address or physical location?
Once a merchant understands its data and recognizes commonalities, the merchant will be able to combine all the information pieces and even develop sophisticated and effective fraud monitoring solutions.  Data doesn't lie and merchants who are very good at retaining and understanding their data will always have a leg up not only on the fraudsters, but much of their competition as well.
Financial Reform is Here
by Tony Allen, General Counsel

This month Congress will pass the Dodd Frank Wall Street Reform and Consumer Protection Act, which President Obama has stated he will sign into law.  This Act will have a significant impact on how financial institutions, their service providers and merchants do business.  Now is the time to start to analyze how the Act will impact your business. 

The Act includes a major overhaul of the nation's consumer protection regime, with a new federal regulator, the Consumer Financial Protection Bureau (CFPB), as the centerpiece.  Although the CFPB is an agency within the Federal Reserve System it has wide ranging autonomy.  The Director of the CFPB is appointed by the President and confirmed by the Senate for a 5 year term.  The anticipated budget for this agency in 2011 is estimated to be $540 million.  The Federal Reserve Board is prohibited from intervening in the CFPB's rulemaking, examinations, and enforcement actions, and from appointing or removing any CFPB employees. 

In summary, a few of the more salient provisions affecting consumers include, the CFPB mandate to prescribe regulations regarding any interchange fee than an issuer may receive or charge with respect to an electronic debit transaction.  Within 9 months it shall establish standards for assessing whether the amount of any interchange transaction fee is "reasonable and proportional to the cost incurred by the issuer with respect to the transaction."  An "issuer" is defined as any person holding the asset account that is debited through an electronic debit transaction or issues a credit or debit card or the agent of such person with respect to such card.  Preloaded debit cards and debit or general-use-cards provided by Federal, State or local government-administered payment programs are excluded from regulation.  It is anticipated that CFPB regulation of interchange fees will result in lowering the interchange fees charged or received in an electronic debit transaction. 

Furthermore, various payment card network restrictions are prohibited. The CFPB may regulate any network fee to insure that no part of any network fee compensates an issuer with respect to an electronic debit transaction and to insure that an issuer or payment card network, directly or through any agent or processor restrict the number of payment card networks on which an electronic debit transaction may be processed, nor restrict the merchants' ability to rout an electronic debit transaction for processing to any processor.  The payment card networks will no longer be able to restrict of penalize the merchant who offers discounts for using a particular payment method nor prohibit a merchant from set a minimum dollar value for the acceptance of credit cards so long as the minimum dollar value does not exceed $10.00 and does not differentiate between issuers or between payment card networks.  

According to a Ballard Spahr Legal Alert, "The CFPB will have sweeping authority to adopt and enforce substantive regulations that apply to any person that engages in offering or providing a "consumer financial product or service" (covered persons), other than those persons explicitly excluded by the Dodd-Frank Act.  Affiliates of covered persons who act as service providers to such persons are also treated as covered persons, subject to CFPB authority.  The CFPB's enforcement authority includes the power to impose civil penalties, ranging from $5,000 per day for garden-variety violations of federal consumer financial laws to $25,000 per day for reckless violations and $1 million per day for knowing violations."  Familiarity with the Act is an imperative.  When in doubt as to the applicability of the Act to your business you should consult with your legal advisor.
Who Is Handling Your Customers' Data?
by Chris Mark, Exec. Vice President, Data Security and Compliance
 
The payment card industry is comprised of several groups.  Among those are merchants and the 3rd parties that support merchants.  Both have an obligation to comply with the PCI DSS.  Some merchants may be required to validate compliance through either an onsite assessment or completion of a Self Assessment Questionnaire (SAQ) and a network scan.  All 3rd party service providers are required to both comply and validate compliance with the PCI DSS.  In addition, all 3rd party service providers must be registered with Visa and MasterCard as service providers. 
 
A service provider is defined as an organization that stores, transmits, or processes Cardholder Data on behalf of merchants.  A merchant is defined as an organization which has been issued a Merchant ID and which accepts payment cards in exchange for goods or services.  As a ProPay merchant you are required to comply with the PCI DSS. 
The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 high-level requirements and numerous sub-requirements which are designed to provide a baseline of information security controls to protect payment card data.
ProPay, as an acquiring agent, is responsible for monitoring and managing the compliance of all of our merchants.  Additionally, ProPay is required (as are all acquirers) to ensure that all 3rd party service providers which support ProPay merchants 1) validate compliance with the PCI DSS and 2) are registered with Visa and MasterCard. 
Failure to use a PCI DSS compliant and registered 3rd party can result in financial penalties up to $100,000.  These fines are given by the card brands and passed on from the acquiring banks. 
To ensure that your company is protected take the following steps:
  1. Identify whether you use a 3rd party to store, transmit, or process any credit or debit card data.
  2. If so, then ask the 3rd party to provide evidence of their PCI DSS compliance.  This will either be a completed self-assessment questionnaire, or a certificate of validation from an onsite assessment and a completed network scan.
  3.              Ask the 3rd party to confirm that they have been registered with Visa and MasterCard.
If the 3rd party is not compliant and not registered and has a data breach, this will be attributed to the merchant (or merchants) who were using the 3rd party's services.  In short, any financial penalties associated with the breach would be passed down to the merchant under the card brand rules.  If, however, the 3rd party is compliant and registered then the merchants have protection against liability for any breach.
As can be seen, it is critical (and required by the card brands) to only use 3rd parties that comply with the card brand rules.  This includes the PCI DSS, as well as registration.
ProPay Announces ProtectPay Online Virtual Terminal
by Scott Nelson, VP Marketing

ProPay is pleased to announce that is has launched ProtectPay Online Virtual Terminal (OVT). This means that small and medium sized merchants can now securely store their customer's payment information in the ProtectPay Vault through the OVT. By storing this data with ProtectPay small and medium sized merchants now experience the same security and PCI compliance benefits as larger organizations. 
 
The features and benefits of ProtectPayOVT include:
  • Secure Storage of Customer Payment Information - The ability to securely store customer payment information in ProPay's Industry compliant data storage solution from the Online Terminal.
  •  Repeat Billing - ProtectPay allows the payment information to be stored securely while allowing you to easily and conveniently use the data for repeat billing and ongoing business transactions.
  • Customer Satisfaction - Customers feel more confident in you as a merchant when they know their payment information is securely stored in a safe environment.
For more information about ProtectPayOVT, visit our website
ProPay Introduces Mobile Processing Solutions
by Scott Nelson, VP Marketing

ProPay is pleased to announce that it has launched ProPay Mobile-a Web interface that enables credit and debit card payment processing through a simple browser interface on any Smartphone affiliated with a data plan. Merchants with a Smartphone and a ProPay Account can now conduct credit and debit card transactions virtually anytime, anyplace. 

ProPay Mobile enables merchants to accept credit or debit card payments anywhere the Smartphone's data plan is available. With ProPay Mobile merchants can: 
  • Proces credit or debit cards through the Online Terminal 
  • Transfer funds to a bank account on file  
  • View account summary information including available balance, transactions in process, limit processed and limit remaining
ProPay Mobile is a free service available to existing ProPay Merchant Accounts. To access ProPay Mobile simply go to m.propay.com from any mobile device.
Upcoming ProPay Events
Webinar: Data Breaches and PCI Trends: Tales from a QSA Trainer
July 28, 2010 11 AM Mountain Time

While companies struggle to achieve and maintain compliance with the PCI DSS, data breaches continue nearly unabated.  From Eastern European organized crime rings to state sponsored cyber crime, companies today are facing an increasingly dangerous and skilled adversary.   Compliance with the PCI DSS is required and important.  Unfortunately, achieving compliance can be a complex task.   Join the International Payment Forum and noted payment security expert and former QSA trainer, Chris Mark for a webinar on the state of data crime and PCI DSS.  Chris will discuss recent data compromise trends and provide an overview of the PCI DSS and offer real life advice on how to minimize the cost and complexity of achieving compliance.

The webinar is free if you register and you will receive a one year FREE International Payments Forum membership. To register for the webinar, click this link.  

Webinar: The Evolution of Tokenization and Its Impact on PCI DSS
August 10, 2010 1PM Mountain Time
 
Data replacement or "Tokenization" technologies have been around for several years now.  Like all technology they continue to evolve so it is important to understand the differences between offerings.  The current 4th generation of tokenization solutions can both reduce risk of compromise and reduce PCI DSS obligations.  Join ProPay's EVP of Data Security; Chris Mark and learn how data replacement technologies can benefit your company.
 
To register for the webinar, click this link.

DISCLAIMER:  ProPay, Inc. provides this newsletter only for general information or educational purposes.  Nothing herein should be relied upon without seeking the advice of an attorney or other professional appropriate to the subject matter.  While ProPay, Inc. strives to ensure information in this newsletter is accurate and current, ProPay, Inc. does not guarantee or represent that the information is correct, complete, or up-to-date; nor shall ProPay, Inc. be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or reliance upon any information contained in this newsletter.